Event ID 3 — AD CS Certificate Request (Enrollment) Processing

Updated: July 8, 2009

Applies To: Windows Server 2008 R2

One of the primary functions of a certification authority (CA) is to evaluate certificate requests from clients and, if predefined criteria are met, issue certificates to those clients. In order for certificate enrollment to succeed, a number of elements must be in place before the request is submitted, including a CA with a valid CA certificate; properly configured certificate templates, client accounts, and certificate requests; and a way for the client to submit the request to the CA, have the request validated, and install the issued certificate.

Event Details

Product:

Windows Operating System

ID:

3

Source:

Microsoft-Windows-CertificationAuthority

Version:

6.1

Symbolic Name:

MSG_REQ_FAILED

Message:

The certificate request failed.

Resolve

Correct problems that prevent certificate requests from being processed

A number of problems can prevent a certificate request from being processed. If the event log message does not contain all the information you need to correct the problem, additional errors and warnings preceding or following this event log message can help you identify the cause.

To identify and resolve problems that can block certificate request processing, you should:

Confirm the certificate chain for the certification authority (CA).

Generate and publish new certificate revocation lists (CRLs).

Confirm the configured CRL distribution points.

If these steps do not resolve the problem, check the failed requests queue on the CA for information about why the request failed.

To perform the following procedures, you must have Manage CA permission, or you must have been delegated the appropriate authority.

Confirm the certificate chain for the CA

To validate the chain for the CA:

Click Start, type mmc, and then press ENTER.

If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

On the File menu, click Add/Remove Snap-in, click Certificates, and then click Add.

Click Computer account, and click Next.

Select the computer hosting the CA, click Finish, and then click OK.

Select each CA certificate in the certificate chain, and click View Certificate.

Click the Details tab, and click Copy to File to start the Certificate Export Wizard. Save each certificate with a .cer extension.

Open a command prompt and run the following command on each CA certificate: certutil -urlfetch -verify <CAcert.cer> and then press ENTER. Replace <CAcert.cer> with the name of a CA certificate file that you saved in step 7.

Use the same command with a certificate file for an end-entity (user or computer) certificate issued by the CA to confirm CRLs for the CA itself as well as its chain.

Resolve any problems identified in the command line output.

Generate and publish new CRLs

If the command line output indicates that a CRL for a CA has expired, generate new base and delta CRLs on the CA and copy them to the required locations. You may need to restart an offline CA to do this.

On the CA, check the current published CRL. By default, the CA creates CRLs in the folder %windir%\System32\CertSrv\CertEnroll. If the CRLs currently in this location have expired or are invalid, you can use the following procedure to publish a new CRL.

To publish a new CRL by using the Certification Authority snap-in:

On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.

Select the CA, and expand the folders below the CA name.

Right-click the Revoked Certificates folder.

Click All Tasks, and then click Publish.

You can also generate and publish CRLs from a command prompt.

To publish a CRL by using the Certutil command-line tool:

On the computer hosting the CA, click Start, type cmd and press ENTER..

Type certutil -CRL and press ENTER.

If a CRL is identified as unavailable but a valid CRL exists in the local directory on the CA, confirm that the CA can connect to the CRL distribution point, and then use the preceding steps to generate and publish CRLs again.

CRLs can be published manually to Active Directory Domain Services (AD DS) by using the following command:

Replace crlname.crl with the name of your CRL file, <CA name> and <CA hostname> with your CA name and the name of the host on which that CA runs, and <contoso> and <com> with the namespace of your Active Directory domain.

Confirm configured CRL distribution points

Check all configured CRL distribution points to confirm that publication was successful and that new CRLs are available on the network.

To check the configured CRL distribution points by using the Certification Authority snap-in:

On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.

Right-click the name of the CA, and click Properties.

Click the Extensions tab.

Review the configured CRL distribution points to make sure the information is correct.

To check the configured CRL distribution point URLs by using Certutil:

Open a command prompt window on the CA.

Type the following command: certutil -getreg ca\crlpublicationurls and press ENTER.

Check the failed requests queue on the CA

To check the failed requests queue on the CA by using the Certification Authority snap-in:

On the computer hosting the CA, click Start, point to Administrative Tools, and click Certification Authority.

Click the Failed Requests folder.

Look for failed requests that were submitted at or near the time of the event, and check columns such as the Request Disposition Message, Request Status Code, and Requester Name for additional diagnostic information.

To check failed requests by using Certutil:

On the computer hosting the CA, click Start, type cmd and press ENTER.

Type certutil -view LogFail and press ENTER.

Type certutil -view -restrict requestID="<nnn>" and press ENTER. Replace <nnn> with the Request ID of one of the failed requests in the output of the LogFail command.

Verify

To perform this procedure, you must have permission to request a certificate.

To confirm that certificate request processing is working properly:

Click Start, type certmgr.msc, and then press ENTER.

If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

In the console tree, double-click Personal, and then click Certificates.

On the Action menu, point to All Tasks, and click Request New Certificate to start the Certificate Enrollment wizard.

Use the wizard to create and submit a certificate request for any type of certificate that is available.

Under Certificate Installation Results, confirm that the enrollment completes successfully and no errors are reported. You can also click Details to view additional information about the certificate.